Bug 1907805 (CVE-2020-35470) - CVE-2020-35470 envoy: logs incorrect downstream address making it possible to bypass the RBAC policy
Summary: CVE-2020-35470 envoy: logs incorrect downstream address making it possible to...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35470
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1907809
TreeView+ depends on / blocked
 
Reported: 2020-12-15 09:45 UTC by Marian Rehak
Modified: 2023-08-30 23:50 UTC (History)
5 users (show)

Fixed In Version: envoy 1.16.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-16 16:19:29 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2020-12-15 09:45:19 UTC 
Envoy 1.16.0 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).

Upstream Issue:

https://github.com/envoyproxy/envoy/issues/14087
Comment 1 Product Security DevOps Team 2020-12-16 16:19:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35470
Comment 2 Mark Cooper 2020-12-17 05:49:16 UTC 
Confirmed regression from https://github.com/envoyproxy/envoy/commit/fa2a7dbe5f1a0847e0bcbdcb001bac5f80bc92d9

So only affects v1.16.0. OSSM 2.0 is still on 1.14.5. Also given how maistra/envoy works we absorbed the changes but never the regression. 

OSSM 1.0 is 1.12.6, not vuln and oos.
Comment 3 Mark Cooper 2020-12-17 05:49:39 UTC 
External References:

https://github.com/envoyproxy/envoy/issues/14087
Comment 4 Mark Cooper 2020-12-17 05:50:35 UTC 
Upstream fix: https://github.com/envoyproxy/envoy/pull/14132/commits/acc4a83bcfcc44c61e48b802cbb0972df3fdd4b5
Note You need to log in before you can comment on or make changes to this bug.